How Should You Structure Your HIPAA BAA?

HIPAA Compliance guidelines apply to a wide variety of aspects of your business starting with employee training, security at your office, and going all the way to physical/virtual security of your data center. With multiple vendors typically involved in handling and managing sensitive electronic medical records (EMR) it is important to ensure vendor responsibilities are clearly spelled out.

What Part of HIPAA Affects You?

You need to have a good understanding of what part of HIPAA affects you. Your liability with any kind of HIPAA environment depends on how much you touch that data. If you are a covered entity (owner of protected health information, such as a doctor or healthcare provider), there are people within your supply chain that are also effected by HIPAA. As they touch the data less and less, they are still covered by HIPAA, but their liability decreases. First thing you need to do is figure out whether you are a business associate (BA) or a covered entity. In some cases you can also be a sub-contractor to a business associate.

Here is a good sample scenario-

You have a healthcare practice that retains patient data. This is the covered entity. It uses a 3rd party billing system – that is a business associate. Data from the billing system may be hosted by a cloud hosting provider, who is the sub-contractor. In this case there would be 2 Business Associate Agreements (BAAs) required, one between the covered entity and the business associate and another between the business associate and the sub-contractor. Here is an infographic from a previous post that that explains this. There are also instances when the medical office may work directly with a hosting provider requiring a slightly different BAA signed between these 2 organizations. Important note- although the data is encrypted and the hosting provider does not have direct access to the data it still MUST sign a BAA.

The BAA basically manages the chain of custody. It clearly defines what the roles and responsibilities are of each party involved in the process.

Some key responsibilities of the hosting provider include but not limited to-

– Updating the servers
– Making sure there is a firewall in place
– Ensuring ports are not open
– Making sure the data is encrypted

I hope you find this brief overview helpful as you work to ensure your HIPAA Compliance. I have been working with clients on HIPAA for close to 10 years and would love to hear your thoughts on the new regulations and answer any questions you may have. Feel free to email me at blog@connectria.com or post a comment below.